Hermit – Android surveillanceware

Researchers have detailed a previously unknown form of enterprise-grade Android surveillance ware that is being used by the government of Kazakhstan and dubbed Hermit, is believed to have been developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl.

RCS Lab is a developer that is known to have past dealings with Syria and operates in the same market as NSO Group Ltd.

Hermit is a typical modular surveillance ware that hides its malicious capabilities in packages downloaded after it has been deployed.

The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio, and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location, and SMS messages.

Researchers speculate that it is distributed via SMS messages pretending to come from a legitimate source. In examples found by the researchers, Hermit impersonated applications from telecommunication companies and smartphone manufacturers.

When clicking on a link, the malware serves up fake pages pretending to be the legitimate sites of the telcos and smartphone makers it impersonates. Those pages immediately start malicious activities in the background.

This discovery gives us an in-depth look into a spyware vendor’s activities and how sophisticated app-based spyware operates. Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to nation-state customers.

Previous countries that are believed to have used RCS Lab solutions include Pakistan, Mongolia, Bangladesh, Chile, Myanmar, Vietnam, Turkmenistan, and Syria.

RCS Lab has not commented on the report. According to its website, it has operated since 1993 to provide technological solutions and give technical support to lawful enforcement agencies worldwide. The NSO Group comparison to RCS Lab is apt.

This research was done by Lookout Inc cybersecurity firm

Indicators of Compromise

• ca101ddfcf6746ffa171dc3a0545ebd017bf689a
• b1dfb2be760d209846f2147ce32560954d2f71b5
• cf610aae906ffcfd52c08d6ba03d9ce2c9996ac8
• 22f49fa7fe1506d2639f08e9ae198e262396c052
• 97ead8dec0bf601ba452b9e45bb33cb4a3bf830f
• 527141e1ee5d76b55b7c7640f7dcf222cb93e010
• 4f8145805eec0c4d8fc32b020744d4f3f1e39ccb
• 9f949b095c2ab4b305b2ea168ae376adbba72ffb

Network Indicators

Domains

• 119-tim[.]info
• 133-tre[.]info
• 146-fastweb[.]info
• 155-wind[.]info
• 159-windtre[.]info
• iliad[.]info
• amex-co[.]info
• cloud-apple[.]info
• fb-techsupport[.]com
• milf[.]house
• mobdemo[.]info
• mobilepays[.]info
• kena-mobile[.]info
• poste-it[.]info
• rojavanetwork[.]info
• store-apple[.]info
• wind-h3g[.]info